uxdb用户创测试用户:
create user developer with password '1qaz!QAZ'; create user manager with password '1qaz!QAZ';
uxop创建策略和主体标记:
select mac_create_policy('pl2','public,secret','developer,manager'); select mac_set_user_label('developer','pl2','secret:developer','secret:developer','secret:developer','public:developer','secret:developer'); select mac_set_user_label('manager','pl2','secret:developer,manager','secret:manager', 'secret:manager','public:manager','secret:manager');
对id3设置一个标签:
select mac_set_column_label('public','test_infer','id3','pl2','secret:manager,developer');
developer的最大读标记为secret:developer
manager的最大读标记为max_read:?secret:manager,developer
id3的列标记为secret:manager,developer
故developer没有id3的select权限,manager有id3的select权限。
查看推理规则(上述test_infer表):
select mac_list_fds('public','test_infer');
分别切换developer用户和manager用户访问没有标记的id2列:
select id2 from test_infer;
developer:
manager:
由上述结果可以看出developer没有权限访问id2列,manager可以访问id2列。由于推理规则中id2能推理出id3,因此select查看 id2的时候运用了id3的标记。导致了developer没有查看id2的权限。
登录uxop用户取消规则id2->id3:
select mac_drop_fd('public','test_infer','id2','id3'); select mac_list_fds('public','test_infer');
登录developer分别访问id2列:
select id2 from test_infer; select id3 from test_infer;
取消id2->id3的推理规则之后,developer可以访问成功id2列,由于标记原因,developer无法访问id3列。